9
Threat Modeling Analyzing the design of a system Engineers know their code and how it changes Really, really hard for normal engineers to do – Requires a skillset acquired by osmosis (The security mindset) – Overcome creator blindness – Extreme consequences for errors or omissions – Training (version 1): Think like an attacker And the consequences…

13
Flow & Engineering …the person is fully immersed in what he or she is doing, characterized by a feeling of energized focus, full involvement, and success… Elements of flow – The activity is intrinsically rewarding – People become absorbed in the activity – A loss of the feeling of self- consciousness, – Distorted sense of time – A sense of personal control over the situation or activity – Clear goals – Concentrating and focusing – Direct and immediate feedback – Balance between ability level and challenge

19
Approach: Draw on Serious Games Field of study since about 1970 – serious games in the sense that these games have an explicit and carefully thought-out educational purpose and are not intended to be played primarily for amusement. (Clark Abt) Now include Tabletop exercises, persuasive games, games for health, etc

20
Elevation of Privilege is the easy way to get started threat modeling

22
How to play Deal out all the cards Play hands (once around the table) – Connect the threat on a card to the diagram – Play in a hand stays in the suit Play once through the deck Take notes: Player Points Card Component Notes _____ ____ ____ _________ ______________

31
Context Engineers are smart & busy people – Easy to forget how complex it is when its your job – Hard to not admire the problem No time in the schedule for UI design & test We need to design flow experiences for engineers

32
Things we hear Im an engineer, not a usability person Can we sprinkle some security usability dust? The problem is between the keyboard and chair What are the top 5 things to make this usable? … all indicate a lack of flow in usability engineering efforts

34
Whats the right thing? Warning from old IE version: Uses the confusing term revocation information Does not explain why the user should be concerned Does not help the user decide Makes no recommendation to the user Easy to get security experts arguing over revocation information

37
What do people want? Simple and actionable Were working on guidance for warnings and prods – Simple – Concrete – Easy to compare version A to B How to get there? Ensure each: – Must involve a user choice – Clearly lays out the issue, why it matters – Provides actionable guidance – Is validated from a UI & security perspective How to get there? Ensure each is: – Necessary: Must involve a choice user can make – Explained: Clearly lays out the issue, why it matters – Actionable: Provides steps user can take – Tested in benign & malicious scenarios (security & UI)

38
Rather than forcing a trust decision, Office 2007, 2010 applications show safe content and give a non-blocking notification that additional, possibly unsafe, content is available. Is your security UX… When possible, automatically take the safest option and, optionally, notify the user that other options are available Necessary? Can you just be safe? Guidance Example

39
Clearly Explain the Issue Provide the user with all the information necessary to make the right decision: – Source of the decision – Process that the user should follow – Risk of various choices – Unique knowledge the user brings – Choices the user can make (including a recommendation) – Evidence that influences the decision SPRUCE replaces earlier CHARGES Does your Security UX… Guidance Example

40
What to fix first? Tool to prioritize and make tradeoffs between bugs: Main CriteriaSupporting criteria Even a security or privacy expert couldnt make the right decision in a scenario which is on the box or which an attacker could invoke Misleading security info or indicators (includes no security indicator) Only a security or privacy expert could make the right decision No/bad/insufficient guidance Anyone could make the right decision, but theyd have to really be paying attention. Experiences that lack recommendation, which habituate users, or which are randomly different than other TUXes Importance

41
Usability for normal people How do we educate users? – No one has time to be trained Need environments which allow people to form models – Quickly & accurately One model per person – Work, home, government, banks, medical care need to align to encourage models to form

42
Creating a Learning Environment Long, noisy channel to reach people – Look for spelling errors in the email? – Need advice that resists innovation – Need advice that resists malice We need to engineer guidance which is – Durable: resistant to innovation and malice – Memorable: stop, drop & roll – Effective: actually protect people – Consistent: no public arguments about passwords – Few: People make shopping lists for a reason Use that guidance as we construct systems

43
Usability tools for Engineers Principles and Guidance are both worthwhile research areas – One page guidance is hard to find – Need ways to create guidance – Need to craft a learning environment